Looking at Information Security from different perspectives Edgard Chammas University Of Balamand Byblos Startup Weekend – March 1, 2013
Looking at Information Security from different
perspectives
Edgard ChammasUniversity Of Balamand
Byblos Startup Weekend – March 1, 2013
Outline* How users see it?
* How hackers see it?
* How developers see it?
* How companies see it?
* How the media sees it?
* How governments see it?
* The current state in Lebanon
* Some security incidents and facts in Lebanon
* For a better digital Lebanon
How users see it?* Not all people have a good technical background
* Most of them are not security aware
* They are prone to attacks such as “Social Engineering”
* Security is always an end-to-end solution
=> If you fail at any point, you FAIL!
* Securing a process from Source to Sink is a big challenge
=> You can't blame Facebook when your password is your
phone number :)
* Security awareness for users is inevitable
How hackers see it?* Simply. It's a “game”
* They can be any anyone. No exceptions.
* They are human => prone to errors
* But, they have an advantage over you
=> They think “out of the box”
=> A single bug is enough for a hacker to break in
* Security is a chain; it's only as secure as the weakest link
* Relying on the fact that nothing is 100% secure
* They seek for vulnerabilities that can be exploited to pwn you!
How hackers see it?
How developers see it?* It's hard to build a product that meets security standards
* Some developers aren't security aware
=> Sometimes it is not enough to just look “sexy”
* Some developers tend to secure their product at the testing stage
=> You will FAIL! Especially in big and complex systems
* Some of them take the role of a penetration tester
=> Can psychologists diagnose their own mental health
problems? No.
* Some of them adopt Security Through obscurity practices
Security Through Obscurity depicted...
How companies see it?* Companies only care about making profit
* They start investing in security as soon as they realize they risk
loosing money
=> This often happens right after a security incident
* Big companies invest millions of dollars to secure their Infrastructure
against all know attacks
Q: What about 0-day attacks?
A: Proactive solutions? Hmm...
* Some of them went further by creating “Bug Bounty” programs!
`
Facebook Bug Bounty program
`
How the media sees it?* It says the truth most of the times
* Most of the times it goes wrong on details
* Nevertheless, It does the job of highlighting security incidents
=> Pushing companies and governments to improve security
* Sometimes it goes mad. It abuses security for other purposes
=> You most probably heard of WikiLeaks
=> Most of its leaks donors are hackers
* Obviously, the media is part of the “game”
`
How the governments see it?* They want to know everything about anyone
* But they absolutely don't want you to get into their business
=> Wikileaks for governments, is what Jerry is to Tom
* They hire hackers of different colors (the good and the bad)
1) to take care of internal security
2) or take part of the global cyber war
=> Haven't you heard of Flame, Duqu and Stuxnet? ;)
* Now we have a war taking place on the internet!
=> It's not a cold war. A real one!
`
The current state in Lebanon* Poor security!
* Leading companies and parties in the public and private sectors
(internet, telecommunication, education, e-commerce,
financial... etc) are vulnerable to primitive and basic types of
attacks
=> Absence of minimal security measures
* This tragic state is influencing the outcome of the internet while it
was essentially made for our benefits
=> We need a move!
`
Some security incidents and facts in Lebanon* Good amount of bad security practices by the major ISPs
* WEP can be cracked in 5 minutes. But some deployed routers
passwords can be retrieved instantly with a small Python code
=> Privacy invasion, abuse of the internet resources
* Clone a DSL router configuration in Saida, connect it in Batroun
then hack everyone without a proxy ^^
=> The next day you hear about the cyber crime team
investigating in Saida
`
Some security incidents and facts in Lebanon* Clone your SIM card, appear in two different locations at the
same time and no one cares (+1 for Telecom companies)
=> National Security agencies, good luck
trying to track foreign agents and terrorists
when they use time machine
* A database containing thousands of phone numbers information
and their IMSIs has been leaked online
=> Tracking mobile users for fun and profit!
`
Some security incidents and facts in Lebanon* One of the biggest companies for online e-commerce having its
admin panel login page injectable via 'OR 1=1--
=> Information disclosure and compromise of
hundreds of credit cards
* Serious vulnerabilities in Telecom companies web services
=> Privacy invasion, and abuse of web and mobile services
* A number of government websites main pages defaced
=> 4 shared-hosting servers, hundreds of websites penetrated
`
Some security incidents and facts in Lebanon* We keep hearing about local websites being hacked
=> among them are for media, universities and big parties...
* Some ISP companies are abusing customer's data traffic
=> eg: hijacking Facebook accounts
* Tried to approach a number of big Lebanese companies about
security weaknesses in their systems
=> No reply. Silence. They don't care?!
`
For a better digital Lebanon* Need for a cyber crime law
* Need for skilled personnel at the different parties involved in
cyber crime in Lebanon
* Need for a good coordination between the ISPs and the
government agencies
* Need obligations by the government on ISPs about a clear and
strict policy for their operation
* Where is the media? We need awareness!
* Need a call for a Lebanese Hacking group. Are you in?
`
Thank You!
Looking forward to see you at the
Web Security Workshop :)
`